VPN tunnel inside other VPN tunnel

Solution:

I've had this working on my home router for a few months with no issues. DD-WRT is configured as an openVPN client to a PrivateInternetAccess account so that all PCs are forced to use it for Internet traffic. Then I tunnel each PC using openVPN to a different service. Performance definitely takes a hit but it's still quite usable and there are no routing problems.


I know this question is over a year old but I thought my input might be useful as I use a similar technique.

I use a Linux desktop machine which is set-up to use an openvpn client connection to Private Internet Access. That PIA account was paid for using a Walmart gift card that was bought for cash whilst on holiday over 1000 miles from where I live. Furthermore, the card was kept for 6 months before it was used in order to further erode the money trail.

The next line in the anonymity defence is that I run a second Linux desktop machine as a virtual machine on the first desktop. The network on that VM is set up as a NAT so it doesn't share the same subnet as the host nor any of my other internal clients. In addition, that VM is also running a LEAP based VPN that is provided free of charge by an organisation of which I am a member. That VPN was set up with a false name and a one time use email address.

I only use this set up when exchanging data with other activists and I have to say it is not used for illegal purposes. I go to these lengths because I know how to and I value my privacy.

My network is provided by fibre and the slow down caused by the two overheads is tolerable enough to still be able to stream youtube videos.

Note, if you are using any VPN at all you have effectively punched a hole through your broadband router's firewall. You must use a software firewall on the client. I have a firewall running on both the host and virtual machine.

I could add a third VPN layer by setting up the router to connect to a third VPN provider but that might be overkill.

The point of doing this is that it makes the technological challenge of sniffing the traffic much harder. Also, as stated by executifs above, the more important point is that it makes the legal battle to get logs way harder. Especially as both VPN providers claim not to keep logs.

My inner VPN provider uses a signed warrant canary (https://en.wikipedia.org/wiki/Warrant_canary) on their website. If that file is not updated in a signed manner every month then every user is to assume that they have been served with a gagging order by law enforcement.

Hope this helps


I disagree with Graham Hill. This setup should work as you expect, and I believe that it will increase your anonymity.

An alternative would be to connect to the VPN through Tor: this way, the provider wouldn't know where the connections originate from, and the Tor nodes would only see encrypted packets.

In any case, mind the money trail: if you pay for both VPN accounts with your credit card, the (possible) connection logs won't matter.

I should also point out that the choice of the provider matters: some will sell you out quicker than others. Check out this enlightening TorrentFreak article for more info!